The National Security Agency (NSA ) has its hands in the biggest ransomware cyber attack in history. The NSA found holes in the Windows operating systems and instead of alerting Microsoft it chose to exploit those holes for its own benefit.
The problem with such an approach is the NSA is not the only one who can exploit the holes. At least 70 countries have been hit. FedEx, numerous hospitals, the UK National Health Service, Chinese universities, Spanish telecommunication firms, and Nissan are among the targets. The British National Health Service was hit especially hard. Operations had to be canceled. Patients records were encrypted.
The malware encrypts your computer and to get it back one has to pay a $300 ransom, payable in bitcoin only.
Ransom Note
The Intercept reports LEAKED NSA MALWARE IS HELPING HIJACK COMPUTERS AROUND THE WORLD
IN MID-APRIL, an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the “Shadow Brokers.” Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom.
The malware worm taking over the computers goes by the names “WannaCry” or “Wanna Decryptor.” It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, one’s computer would be rendered useless for anything other than paying said ransom. The price rises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) will make the data permanently inaccessible (WannaCry victims will have a handy countdown clock to see exactly how much time they have left).
Reuters said that “hospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies,” and that “the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.”
The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computers across over 70 countries (and counting — these things move extremely quickly).
Today’s ongoing WannaCry attack appears to be based on an attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agency’s hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them — but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance. Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”
Security Experts Scramble
The New York Times reports Hacking Attack has Security Experts Scrambling to Contain Fallout.
Governments, companies and security experts from China to Britain on Saturday raced to contain the fallout from an audacious global cyberattack amid fears that if they do not succeed, companies will lose their data unless they meet ransom demands.
The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users to unlock the devices. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.
While most cyberattacks are inherently global, this one, experts say, is more virulent than most. Security firms said it had spread to all corners of the globe, with Russia hit the worst, followed by Ukraine, India and Taiwan, said Kaspersky Lab, a Russian cybersecurity firm.
The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe.
While American companies like FedEx said they had also been hit, experts said that computer users in the United States had so far been less affected than others because a British cybersecurity researcher inadvertently stopped the ransomware from spreading.
The hackers, who have yet to be identified, included a way of disabling the malware in case they wanted to shut down the attack. They included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers. [Mish note: this paragraph is wrong as explained in snips of the article below]
The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, found the kill switch’s domain name — a long and complicated set of letters. Realizing that the name was not yet registered, he bought the name himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.
“The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
How to Accidentally Stop a Global Cyber Attacks
MalwareTech explains How to Accidentally Stop a Global Cyber Attacks.
So finally I’ve found enough time between emails and Skype calls to write up on the crazy events which occurred on Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there’s that). You’ve probably read about the WannaCrypt fiasco on several news sites, but I figured I’d tell my story.
I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organizations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend, meanwhile, the WannaCrypt ransomware campaign had entered full swing.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered. …..
[MalwareTech explains why the kill switch thesis is wrong].
I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments [protected sites used to analyze viruses], then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course, now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.
Protect Yourself
His story is long, complicated, and technical. Nonetheless, it’s an interesting read. I corrected a few typos. He concludes with some thanks to companies and organizations who helped him, including Microsoft for releasing “out of bounds patches for unsupported operating systems so people would not have to upgrade on the spot.
If you have anything to patch, patch it. If you need a guide, this one is being regularly updated: Protecting your organization from ransomware.
Now I should probably sleep.
75,000 Cases in 99 Countries
The BBC reports Massive Ransomware Infection Hits Computers in 99 Countries.
A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organizations around the world.
Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.There are reports of infections in 99 countries, including Russia and China. Among the worst hit was the National Health Service (NHS) in England and Scotland.
The BBC understands about 40 NHS organizations and some medical practices were hit, with operations and appointments canceled.In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.
People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.
France’s carmaker Renault, Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.The NSA tools were stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
Critical Microsoft Server Update
If you are running Microsoft servers it is critical to apply Microsoft Security Bulletin MS17-010 – Critical released in March.
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Pertinent Tweets
Hospitals say backlog will go on for some weeks after today’s cyber attack #NHScyberattack pic.twitter.com/BGV5jV7KZ1
— Sky News Tonight (@SkyNewsTonight) May 12, 2017
NHS hack: So NSA had secret backdoor into Windows. Details leaked few weeks ago. Now backdoor being exploited by random criminals. Nightmare
— Sam Coates Sky (@SamCoatesSky) May 12, 2017
If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch? https://t.co/TUTtmc2aU9
— Edward Snowden (@Snowden) May 12, 2017
Questions Abound
- Just how stupid was the NSA to get hacked itself?
- Just how stupid was the NSA for attempting to utilize the hole instead of informing Microsoft?
- Did the NSA demand that backdoor?
- Do we thank the folks who hacked the NSA for publicizing the backdoor necessitating the need to patch the hole?
Bonus fifth question: When does the Congressional investigation start?
Mike “Mish” Shedlock
